Because the image arrives CIS Level 1 hardened with the AWS tooling already in place, our servers come up patched, locked down, and ready to join the domain without a separate build out pass.
The hardened defaults also occasionally trip up common installers and agents: a few of our deployment and monitoring tools assumed services or policies that the image had locked down, so we had to add exceptions.
